基于源码语义结构分析的智能合约漏洞检测方法  被引量：1

作　　者：李珊 王斌[1] 王伟[1] LI Shan;WANG Bin;WANG Wei(Beijing Key Laboratory of Security and Privacy in Intelligent Transportation,Beijing Jiaotong University,Beijing 100044,China)

机构地区：[1]北京交通大学智能交通数据安全与隐私保护技术北京市重点实验室,北京100044

出　　处：《广州大学学报（自然科学版）》2023年第4期56-65,共10页Journal of Guangzhou University:Natural Science Edition

基　　金：国家重点研发计划资助项目(2022YFB2702903);国家自然科学基金联合基金重点支持项目(U21A20463,U22B2027)。

摘　　要：近年来,智能合约已广泛应用于去中心化金融、供应链管理等领域。然而,智能合约漏洞给这些领域造成了严重的损失,由于智能合约部署在区块链上以后无法修改,开发人员写好智能合约后必须检测其安全性。现有的基于深度学习的检测方法大多使用字节码和源码,然而,基于字节码的检测方法无法定位到漏洞可能出现的位置且直接检测向量化源码准确率低。为了提高漏洞检测的准确率,增加检测结果的可解释性,文章提出了基于源码语义结构分析的智能合约漏洞检测方法。首先,将智能合约源代码转化为抽象语法树,研究源代码和抽象语法树的语法关系;其次,通过对以太坊中合约的抽象语法树属性特征和漏洞特性进行分析,发现5种漏洞相关属性特征,并围绕这些节点特征将抽象语法树进行切片,得到与漏洞特性相关的子树切片;最后,提取子树切片的结构特征和属性特征,并将其表示为图结构。使用具有更好图表示能力的图同构网络模型检测子树切片的图结构并利用33812个以太坊上的智能合约进行实验,实验结果表明,文章所提出的方法有效性显著高于其他方法,Macro-F1超过90%,未检查返回值和重入这两种漏洞的F1-score分别达到97%和92%。In recent years,smart contracts have been increasingly applied in fields such as decentralized finance and supply chain management.However,the vulnerability of smart contracts has caused serious losses to these fields.After the smart contract is deployed on the blockchain,it cannot be modified.Developers must check its security after writing the smart contract.Most of the existing detection methods based on deep learning use bytecode and source code,but bytecode based detection methods cannot locate the potential location of vulnerabilities,and the accuracy of direct vectorization source code detection is low.In order to improve the interpretability and accuracy of vulnerability detection,this paper proposes a smart contract vulnerability detection method based on semantic structure analysis.Firstly,we transform the source code of the smart contract into an abstract syntax tree and study the syntax relationship between the source code and the abstract syntax tree.Secondly,by analyzing the abstract syntax tree attribute features and vulnerability characteristics of real contracts in Ethereum,we identified five vulnerability related attribute features and slices context around these node features.Finally,we extract the structural and attribute features of subtree slices and represent them as graph structures.We use graph isomorphic network models with better graph representation capabilities to detect these graph structures.We conducted experiments using 33812 smart contracts on Ethereum.The experimental results indicate that the Macro-F1 of this method exceeds 90%.Specifically,the F1 scores for unchecked return values and re-entry vulnerabilities reached 97%and 92%.

关 键 词：区块链 智能合约 抽象语法树 图同构网络 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]